Running Claude Code dangerously (safely)

Posted by emilburzo 1/20/2026

Running Claude Code dangerously (safely)(blog.emilburzo.com)

351 points | 258 commentspage 4

pshirshov 1/20/2026|

Bubblewrap + nixos, much easier: https://github.com/7mind/nix-config/blob/main/modules/hm/dev...

fwystup 1/20/2026||

I'm currently building a Docker dev environment for VSCode (github.com/dg1001/xaresaicoder) usable in a browser and hit the same issue. Without docker-in-docker it works well - I even was able to add transparent proxy in the Docker network to restrict outbound traffic and log all LLM calls (pretty nice in order to document your project). For docker-in-docker development and better security isolation, I'm considering Kata Containers instead of Vagrant. Which gives me real VM-level isolation with minimum perf overhead, while still be able to use my docker stuff. Still on my TODO list though. Has anyone actually run Kata with vs code server? Curious about real-world quirks - I've read that storage snapshot performance can be rough.

ompogUe 1/13/2026||

Keeping in mind with Vagrant: if you are using a synced_folder in your host as a source folder in the VM, those files in the synced_folder will be modified on the host.

emilburzo 1/14/2026||

Good point. For me, that was intentional, since all my projects are in git I don't care if it messes something up. Then you get the benefit of being able to use your regular git tooling/flows/whatever, without having to add credentials to the VM.

But if you need something more strict, 'config.vm.synced_folder' also supports 'type rsync', which will copy the source folder at startup to the VM, but then it's on you to sync it back or whatever.

ompogUe 1/14/2026||

I like this workflow a lot, actually. Docker is great and all, but depending on the project, Vagrant helps "keep it simple".

Thanks

gregoriol 1/20/2026|||

If the folder is versioned and commited regularly there is no problem. It also allows you to open the files in your IDE, do some other tasks or fixes for claude. It prevents claude from accessing any other folder, which is the idea of the post.

fragmede 1/20/2026|||

Until Claude nukes .git, assuming you're using git as the version/commit store. Solution use easy, just push to a remote on a reasonable cadence (that you can run reflog on, so a force push won't eat your data either). Git isn't backup though, it's a VCS, and those are two different things, even if they are somewhat alike.

gcr 1/20/2026|||

I’ve seen Claude rm .git in rare occasions to “fix rebase hiccups”

Version control ain’t a match for a good backup

gregoriol 1/20/2026||

So? if it removes .git, just clone the project again and you are ok

gcr 1/22/2026||

In that case, you're just relying on your remote backup :-)

ninadwrites 1/20/2026||

[dead]

jillesvangurp 1/20/2026||

I'm currently using a qemu vm for the codex with the --yolo flag but same thing. I've been also looking at using lima for automating the creation of vms. But it does a few weird/dangerous things like mounting the entire user directory read/write. Which kind of defeats the point. There are ways of turning that off probably but it does a few dangerous/annoying things wrong by default.

But a simple vm and some automation to install developer tools using ansible, nix or whatever you prefer isn't that hard to (vibe) code together. I like Lima but it feels slightly sub-optimal for the job currently.

Some useful things to consider:

- Ssh agent forwarding for authenticating against e.g. git is useful. But maybe don't use the same key that authenticates to your production machines as well ...

- How do you authenticate without a browser? Most AI tools have ways to deal with that but it's slightly tedious to automate during provisioning.

- Making sure all your development tools are there; I use things like sdkman, nvm, bun, etc. And I have my shell preferences and some other tools I like to have around.

- Minimizing time provisioning these vms over and over again. This gets tedious really quickly.

- Keeping the VMs fast is important too. In my projects, build tool performance adds up and AI tools like to call them a lot. So assign enough memory and CPU.

- It would be nice to switch between local and remote/cloud based vms easily.

- Software flexibility; developers are picky about their tools. There is no one size fits all here. Even just deciding on the base image to use for your vm is likely to escalate. I picked debian for what it is worth.

In short, I think there's enough out there that you can pull something together but it still involves quite a bit of DIY. It would be nice if this got easier. And AI tools asking for permission for everything is not a good security model. Because people just turn that off. Sandboxing those things is the way to go. But AI tools need to be able to do enough to work with your software.

jannesblobel 1/20/2026||

If your system were under version control, so that Claude could do whatever it wanted on its own branch, so to speak, would it still be such a big problem? Because you could just roll back if it really did cause problems, couldn't you?

jannesblobel 1/20/2026|

Perhaps I should add something here. It always depends on the task. Claude with SUDO access doesn't seem right to me either, but I wouldn't run that anywhere else either.

sandGorgon 1/20/2026||

Or...use wsl2 in windows. does the same thing - much much faster.

Windows is the best (sandboxed) linux

strickjb9 1/20/2026||

Real question - are you not worried about access to /mnt/c ?

kachapopopow 1/20/2026||

sudo chmod 700 /mnt/

sudo chmod $UID /mnt/<project_path>

...done?

guluarte 1/20/2026||

tools inside wsl have full control of the windows filesystem

tracker1 1/21/2026||

Hmm... I'm relatively new, but I've been using utility scripts in a run/ directory in my project that will spin up containers based on compose, and that includes dev containers volume mapped to my host directories in a given project. It's worked pretty well for me at least. Similar to TFA, it's been able to configure services in the compose file, update the utility scripts and diagnose problems in the services in runtime and dev modes respectively. No browser integration though, but I'm sure playwright/puppeteer work.

skybrian 1/20/2026||

I'm doing this with a remote VM on exe.dev and it's quite nice. Well, actually with their own coding agent but they have Claude Code preinstalled too.

Syncthing works well for getting a local copy of a directory from the VM.

FourSigma 1/20/2026||

I've been exploring this space. There are some use cases where I'd love to run an isolated Claude agent asynchronously. I think running Docker in rootless mode might solve some of the OP's concerns—I believe Podman does this implicitly. Also, there are tools like Kaniko that does not need Docker to create container images. You can also try changing the underlying container runtime to something like gVisor if you want more security.

Does anybody have experience using microVMs (Firecracker, Kata Containers, etc.) for this use case? Would love to hear your thoughts.

fwystup 1/20/2026|

Posted almost at the same time about Kata. I'm trying to use Kata as replacement for the standard docker runtime (since I already have a tool based on docker).

The idea is to simply use the runtime flag (after kata install):

docker run -d --runtime=kata -p 8080:8080 codercom/code-server:latest

Hope this works, with this I could keep my existing docker setup.

FourSigma 1/21/2026||

That is a great idea. Have you looked into Docker's Sandbox feature?

infamia 1/20/2026|

If you're on a Linux or Unix OS, a chroot jail might be a more lightweight solution. the chroot command essentially makes the chrooted directory look like the root dir. You need to set up all the directories claude can access (like /usr/bin or whatever). I haven't tried this yet, but I don't see any reason it wouldn't work. This solution would protect files outside your project from getting trashed, but not malicious data exfiltration.

More comments...